It’s a Zoom world, and we’re just living in it — but we may still be handing over our private data in the meantime. Use of the popular videoconferencing app Zoom has spiked as work has moved into people’s homes. According to the New York Times, the app saw 600,000 downloads in one day, and that was two weeks ago when COVID-induced lockdowns were just beginning to take effect. It’s no wonder the app has surged in popularity — it just works. Simply click on a link and have your meeting.
However, a recent investigation by Motherboard revealed Zoom’s iOS app was sending some data about users to Facebook, which was not made clear in the app’s privacy policy. Other investigations by The Intercept showed that the calls were not, in fact, end-to-end encrypted as the company claimed. People were inadvertently sharing their location, which device they were using, and advertising identification data. Even New York State Attorney General Letitia James is looking into the company’s privacy practices.
Zoom has since updated its iOS app to stop sending data to Facebook, as well as amended its privacy policy to add “clarifying updates” under the increased glare of media and public scrutiny. Among the changes: The company says “Customer Content” can no longer be used in ads, that video can only be saved at the request of a user, and the company also added details about the data it does collect.
Some experts said Zoom’s new policy does clarify and tighten up previously vague language regarding user data. This change is something the U.K.-based digital rights group ProPrivacy applauded, but still urged caution.
“Zoom is complying with the laws, but it will share your data with Google where it is lawful to do so,” wrote Jo O’Reilly, digital privacy advocate for ProPrivacy. “It does go so far as to point out, though, that this is not a ‘sale’ of your data in the sense that most of us use the word ‘sale’, a clear attempt to shake off the controversy.”
James Carder, the chief security officer of LogRhythm, a security intelligence company, wasn’t sold. “This is fairly boilerplate stuff,” Carder told Digital Trends. “When you read their privacy policy now, it sounds like they’re trying to avoid responsibility and put the onus on the customer. It’s more of a response of ‘hey, we’re doing the right thing! The problem isn’t with us!’”
What’s in Zoom’s new privacy policy
In a statement to Digital Trends, Zoom said “It’s important to note that the ‘new’ privacy policy does not reflect any changes in our practices, it simply makes clarifying updates to the language” (emphasis theirs). The spokesperson also said that the practice of Zoombombing is “unrelated to the new privacy policy.” Zoombombing is a trolling tactic wherein an unauthorized user will access a Zoom chat that isn’t secured with a password and act in a disruptive manner, for instance by playing an inappropriate, loud video or shouting white supremacist slogans. Zoom said they “strongly encourage hosts to review their settings.”
“The root issue is that people are accessing some form of data that they shouldn’t be accessing,” Carder said. “If I look at them releasing new privacy policy, I don’t think it’s addressing the root issue. I don’t see anything addressing security best practices, or what you could do with meetings that get Zoombombed. And this stuff is happening on every online collaboration platform.”
“When they came under scrutiny, they went back and reworked and clarified the policy dramatically to ease user minds,” said Eve Maler, interim chief technology officer of the a digital identity company ForgeRock. “And they did a good job. But they should have known better.”
Maler said she thought Zoom did a good job addressing some core concerns; compliance with child protection laws and medical privacy laws for instance. But she said she’s seen this “walk of shame” from CEOs before: A company’s lax privacy policy is discovered, the CEO feigns contrition under scrutiny and offers a non-apology statement, and then the policy is changed.
“Customers have gotten more savvy and cynical and privacy sensitive, and regulators have too. Enterprises have to understand that modern data privacy has changed,” Maler said. “We’ve seen enough of these executive ‘walks of shame,’ that they [Zoom] should have known that this would happen in this regulatory environment,”
Maler pointed to another dramatic instance of this exact pattern: Spotify in 2015. The music streaming app’s policy at the time allowed it to pretty much read a user’s entire phone. Users had inadvertently agreed to allow the app to view their Facebook posts, know their location, and see their contacts and photos. Spotify insisted there was a reasonable explanation, but CNN described the policy as “the opposite of private” and “creepy” and under the harsh glare of the media spotlight, the policy was amended.
“We don’t know the true intentions, but we’ve seen this happen before and people rightfully look askance at this exercise of power. Let’s just call it what it is,” Maler said. “They should have known that changing privacy policy in this environment will look like it was motivated by circumstances and newfound popularity. It’s not a good look.”
